Multiple vulnerabilities in Gandia Integra Total by TESI

Posted date 31/07/2025
Identificador
INCIBE-2025-00414
Importance
5 - Critical
Affected Resources

Gandia Integra Total, from version 2.1.2217.3 to 4.4.2236.1.

Description

INCIBE has coordinated the publication of 8 vulnerabilities, 2 of critical severity and 6 of high severity that affect Gandia Integra of TESI, a software for the management of surveys and market analysis, versions from 2.1.2217.3 to 4.4.2236.1, which have been discovered by David Utón Amaya (m3n0sd0n4ld).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • from CVE-2025-41370 to CVE-2025-41371: CVSS v4.0: 9.3 | CVSS4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • from CVE-2025-41372 to CVE-2025-41377: CVSS v4.0: 8.7 | CVSS:4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
Solution

The vulnerability has been fixed by the TESI team in version 4.4.2431.5.

Detail

A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases.

The list of parameters, endpoints and assigned identifiers is as follows:

  • No authentication required:
    • CVE-2025-41370: 'idestudio' parameter in /encuestas/integraweb/html/view/acceso.php.
    • CVE-2025-41371: 'idestudio' parameter in /encuestas/integraweb_v4/integra/html/view/acceso.php.
  • With authentication:
    • CVE-2025-41372: 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/informe_campo_entrevistas.php.
    • CVE-2025-41373: 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/hislistadoacciones.php.
    • CVE-2025-41374: 'destudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/gestpaginasesp.php.
    • CVE-2025-41375: 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/consultaincimails.php.
    • CVE-2025-41376: 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/consultacuotasred.php.
    • CVE-2025-41377: 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/consultacuotas.php.
CVE
Explotación
No
References list